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Hello, Virtual Friend 


My name is Emilio and I’m hacker & 
| like to play with packets, networks, electronics and 3D printers 


| presented security tools at various conferences (DEF CON, BlackHat 
Asia, AV Tokyo HIVE, Code Blue, SECCON, HITB, etc) 


Sorry, m not a native programmer or English speaker © 


UTC+9 (That's 16hr ahead of DEF CON) 


https://circo.cc 


Legal Disclaimer: 
x 
/ 


The tool is provided for educational, research or testing purposes. 
Using this tool against network/systems without prior permission is illegal. 


Radio waves are regulated per each country, before any radio wave transmission, make 
sure you complain within your country regulations (power, frequencies, bandwidth, etc.) 


The author is not liable for any damages from misuse of this tool, techniques, code or radio 
frequency violations. 


bla, bla, bla, bla... 
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Wait, what’s CIRCO v1? 


Python 2 
Network implant using cheap hardware 
Behaves like a Cisco Switch (honeypot) 


Lure SecNetDevOps systems 


Exfiltrate obtained credentials via: 
e 


ICMP 
Traceroute 
HTTP/HTTPS 
DNS 

NTP 

Proxy 
Wireless 


Fully encrypted (avoid forensic) 


And more... 
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Got it, what’s up with v2? 


Python 3 
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Improve Cisco IOS Honeypots (telnet, ssh, CDP and LLDP) 
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Honeypots (Cisco Services) 


Cisco CDP & LLDP Advertisement 
(/P-Phone or Network Switch) 


Cisco SNMP Agent 
Cisco Telnet CLI (IOS 15.x) 
Cisco SSH CLI (IOS 15.x) 


Cisco TCP stack (fingerprinting) hitps://ci 
ps: circo.cc 


Exfiltration Formats 


Honeypots 
e Telnet 
e  t«username»,«password»,«src. IP» 
*  te.enable password»,«src IP» 
* SSH 
e s,<username>,<password>,<src_|P> 
* s,e,<enable_password>,<src_|P> 
e SNMP (v1/v2) 
*  p.«community»,«src IP» 


Sniffed 


" FTP, Kerberos, NTLMv1/2, SMTP, HTTP, etc. 


*  nccredential//hash»,«dst IP» 
° SIP 
e v<hash> 
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Demo Labs 


Demo Time! 


Thank You! A 


(for watching) 


65 Emiliost 7052 (DEF CON Discord) 
vU ekio jp 

C https://github.com/ekiojp/circo 
$ https://circo.cc 


